Google Vault: Beyond Setup

Vault is a powerful tool that allows users that have access to it the ability to search and view:

  • Gmail messages
  • Google Group posts
  • Most files in Google Drive and shared drives, excluding Jamboards and Sites as of now
    Conversations in Chat with history turned on
  • All recordings in Meet

If you are looking to get information about what Vault does, please refer to our past blog, Google Vault: What Does it Do? This blog is designed to go deeper into Vault configurations.

With great power comes great responsibility!

If your Google Workspace domain is set up like most domains we have audited in the past, there are any number of Super Admins with the power of Vault sitting at the tip of their fingers. Is it really necessary for a network administrator, a technician, a superintendent, or a technology coordinator to have access to this power? Do you trust any one of these Super Admins you may have on your Google Workspace domain not to abuse this power? At CDW Amplified for Education, we have heard stories from districts of this power being abused and serious consequences thereafter.

What can I do to tighten up access to Vault?  

The first thing you will want to do is to grant access to the Vault system using access groups. You'll start by turning off OFF Vault at the root of your Organizational Structure.

*Turning the Vault service OFF doesn’t affect the retention policies set. It simply removes the user's ability to access Vault from the waffle menu and navigating to it.


Then, create a Google Group and add only the users you want to have access to the Vault system and tighten the access settings of that group.



Finally, turn ON the Google Vault service for this newly created group only. This process ensures only authorized users will be accessing the Vault system.


So far this is great. We tightened up access to the Vault system and gave access to only those that would need to use this service. Unfortunately, we still have an issue of accountability. Who knows if any of the users you’ve assigned access to the Vault system will abuse this power. Recent changes to Google Workspace have removed Super Admins’ ability to access all of Vault’s privileges unless the Service is turned ON for them specifically. They may be suspicious and want to know what other users are saying about them by searching their name? Maybe there is a boss using Vault to keep tabs on employees that she/he is targeting?

To help prevent this abuse of power, we can set up a Vault Access Workflow which involves multiple users, each with different levels of access to Vault with an approval process. First and foremost, meet with your team and decide on a workflow that works in your institution. Then get it written down as a procedure or a policy to follow going forward. This step is an important part of the process and shouldn’t be overlooked.

How to set up a Vault Access Workflow

Typically, there are three main types of personas when dealing with Vault access:

  • Requesters – Principals, assistant principals, HR managers, SRO, or other administrators looking for information. Reasons could be for legal requests, freedom of information requests, internal investigations, or data compliance investigations.

  • Vault Admin – The person that would execute the investigations and export data for sharing with the requester.

  • Vault Owner – The person that approves the investigations and can access audits of the vault searches and sets all the retention policies.

Giving the right access to the right persona with Admin roles

Requesters will need a way to request to a Vault owner what information he/she is looking for. This can be a Google Form, a support ticketing system, or any other means you see fit to work in your institution.

Vault Admins will need access to Manage Matters, Manage Holds, Manage Searches and Manage Exports. When you have multiple campuses, you can have multiple Vault Admins and restrict access to information from Vault to an OU.


Vault owners will need access to Manage Retention Policies, Manage Audits and View All Matters. This doesn’t give Vault owners the power to get information from Vault like Vault admins can (unless they are Super Admins), but Vault owners can grab audit reports of the Vault admins to be sure they are not abusing their power.

*In some cases, if your institution employs a Privacy Officer or the HR department wants the burden of Vault, then more access can be given to a Vault owner.

*Keep in mind that Super Admins have access to all privileges, so assigning a SA as a Vault owner will not remove the ability to Manage Matters, Holds, Searches, and Exports.


A Vault Access Workflow example

  1. Requesters make their request to Vault Owners.
  2. Vault Owners approve or deny the request, when approved.
  3. Vault Admins process the request in Vault.
  4. Vault Owner verifies the information is what the requester needed.
  5. Vault Admins pull exports the information.
  6. Vault Admins share the information with the Requester.

Next Steps:

  • Consider demoting most of your Super Admin accounts, remove access to all of Vault and don’t use remaining Super Admin accounts as your daily drivers.

  • A Digital Data Retention Policy should be established by school boards/administrations and then IT admins should align Vault retention policies, account life cycles and any 3rd party backup solutions you may have to the retention period laid out in the policy. Be sure to have that data expunged as per your institution’s Digital Data Retention Policy’s retention period.

If you would like help making sure your domain settings are set up to EDU best practices, connect with us to request an audit overview call with your Google Customer Service Specialist and we will go over the full details with you.


Document Version Date Description of Change
1.0 3/18/2024 Update reference of RAM to GCSS
1.1 5/28/2024 Removed author block


Articles in this section

See more